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ABSTRACT 


This thesis concerns the possibility of deceiving cyberterrorists using 
defensive deception methods. As cyberspace today is a battleground for myriad 
cyber attacks and intrusions, it may only be a matter of time before terrorists 
choose to advance their deadly cause in cyberspace. We explore some of the 
questions raised regarding the threat of cyberterrorism by examining different 
perspectives, motivations, actors, targets, and how they may be confronted. One 
way is to draw from the lessons of deception and apply them against 
cyberterrorist attacks. Cyber deception applies in cyberspace just as well as 
deception in military battles. From the different categories of attackers that could 
perpetrate cyberterrorism, we examine the ways in which they may be deceived. 
Many of the methods and tools that cyberterrorists would use are similar to those 
used by other less malicious hackers, so we can plan specific deceptions to use 
against them in advance. 
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I. INTRODUCTION 


Much has been written about an “Electronic Pearl Harbor” even before the 
attacks on September 11, 2001 in New York and Washington D.C. In the 
aftermath of the attacks, even more questions have been raised about the 
possibility and probability of terrorist attacks in cyberspace following suit. As it is, 
the Carnegie-Mellon Computer Emergency Response Team Coordination Center 
(CERT/CC) has documented nearly 300,000 Internet security incidents since 
1988, with nearly two-thirds of them occurring between 2002 and the first three 
quarters of 2003 [CERT, 2003]. The culprits behind these incidents are not 
always evident, but often they are the work of hackers, malicious programmers, 
script kiddies and the like. Instead of these types of perpetrators, the person 
responsible could belong to a cyberterrorist group which has express intentions 
to inflict some form of widespread damage to further its cause. 

The irony of the historical Pearl Harbor is that, while the operation was a 
spectacle of military deception, coordination and resource management, the 
executor of the operation, the Imperial Japanese Navy, was decimated in the 
years that followed it. The attacker’s success was short-lived. Indeed, some are 
now suggesting that the threat of an “electronic Pearl Harbor”, in which a 
crippling blow is inflicted against national information systems, financial 
institutions, and so on, is not as significant as that of an “electronic Waterloo”, 
which would entail the long-term and systematic alteration of the world’s political, 
military and economic order. In this case, the attackers could conduct covert 
reconnaissance for months if not years to ascertain critical information assets to 
be targeted or exploited before the execution of the actual operations [CSIS, 
1998]. 

The continuing increase in reported Internet incidents probably stems from 
the growth of the Internet in recent years. The Internet counts among its 
consumers genuine users as well as those who would seek to exploit it for 

unscrupulous means or do harm. The increasing complexity of software such as 
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operating systems and Web browsers increases security vulnerabilities. At the 
same time, hacking tools are also increasing in sophistication and availability, 
meaning that vulnerabilities once exposed are quickly exploited [Denning, 2001]. 
U.S. Department of Defense surveys also showed that cyber incidents including 
probes, illicit entry and attacks aimed at causing damage and taking control have 
been on the rise, somewhat corresponding to the increasing availability of 
hacking tools, discoveries of vulnerabilities in software, and the growth of the 
Internet [Ashley, 2003]. To protect genuine users from “others”, various 
measures have been explored including law enforcement, deterrence, protection 
mechanisms, self-defense, consumer education, and awareness. In this thesis, 
one particular protection mechanism is examined, that of software deception. 

Before proceeding, we briefly explain the key concepts used in the 
subsequent chapters and how they relate to one another. These key concepts 
fall under the topic of Information Operations (lO). While there are several 
definitions of IW, the one from the U.S. Department of Defense will be taken as 
representative: 

Information Warfare includes actions taken to preserve the integrity 
of one’s own information system from exploitation, corruption, or 
disruption, while at the same time exploiting, corrupting, or 
destroying an adversary’s information system and in the process 
achieving an information advantage in the application of force 
[Joint, 1995]. 

In the definition above, one part deals with the offensive aspect of IW. In 
cyberspace, this would involve attacks on the confidentiality and integrity of data 
or the availability of services. Examples would include the insertion of malicious 
code such as Trojan horses, viruses or worms into the target computers, servers, 
or networks, the penetration of the targets to secure unauthorized access to data, 
or the execution of flood attacks to deny services. These would be classified as 
cyber attacks. Many of the techniques and tools that could be employed in 
cyberterrorism are those used in cyber attacks, and thus fall into the offensive IW 
category. Another part of the definition deals with the defensive aspect of IW. In 
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cyberspace, this involves the protection of data confidentiality and integrity, and 
ensuring and sustaining availability of services. Examples include the use of 
encryption to protect data, implementation of firewalls, and use of intrusion 
detection systems to prevent or detect unauthorized intrusions. Defensive IW 
also includes cyber deception, the use of deception techniques to fool or foil 
cyber attacks. The use of deception in software defenses thus falls under the 
category of defensive IW [Denningl, 1999; Waltz, 1998]. 

The next chapter discusses terrorism as the root of cyberterrorism. The 
difficulty in defining terrorism has created different ideas of what cyberterrorism 
could be. We explore the makeup and motivations for terrorism to see how they 
subsequently lend themselves to cyberterrorism. In the discussion on 
cyberterrorism, different perceptions are considered in an attempt to find 
principles of the threat posed by cyberterrorism. In doing so we discuss the 
motivations, actors and targets of cyberterrorism. Various measures that have 
been adopted to combat the threat of cyberterrorism are also discussed. 

Chapter III explores the use of deception in human history and in 
cyberspace. Various aspects of deception are examined, such as the structure, 
value and risks associated with the practice of deception. We also explore the 
aspects of deception most related to terrorism, namely intelligence and counter¬ 
deception. 

Chapter IV examines the use of deception in cyberspace and how these 
relate to deceiving cyberterrorists. Different theories of cyber deception are 
discussed and provide the basis for an examination of several works on the use 
of cyber deception in defense of information systems. We also explore the 
possible attack tools that cyberterrorists would use. These are then tied in with 
discussions on the means by which cyberterrorists may be deceived in defense 
of information systems. 

Chapter V concludes by summarizing the key issues and conclusions 
drawn in this thesis and postulates areas for future work. 
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II. CYBERTERRORISM 


A. ORIGINS OF TERROR 

Act of Terrorism = Peacetime Equivalent of War Crime 

Alex P Schmid (1992) 

Although terrorism is one of the most ubiquitous words in the current 
affairs, political or conflict news of the present day, few agree on exactly what is 
terrorism. As the famous cliche goes: one man’s terrorist is another man’s 
freedom fighter. Hence, terrorists never call themselves as such, and will go to 
great lengths to evade such connections [Hoffman, 1999]. 

Arguably, and unsurprisingly, the roots of terrorism could be found in 
religion, during the Middle East of the 1®‘ Century [Reich, 1998]. The Sicarii were 
an active Jewish group which set out to target other Jews who collaborated with 
the Romans. The Zealots were also a Jewish group that targeted the Romans 
and Greeks. These executions would typically be carried out in broad daylight in 
the presence of others. The objectives for such action were in part to inspire 
insurrection among the Jews against the Roman occupiers, and in part to send a 
message to the Roman authorities themselves. In his study of terrorism, 
[Hoffman, 1999] showed how the understanding and perception of terrorism 
changed over the centuries. Terrorism was popularized during the French 
Revolution toward the end of the 18*^ Century with the regime de la terreur, which 
gave us the English word “terror”. It had then a positive connotation as it was the 
system by which order was established during an anarchical period in France. 
Over time, however, its use became associated with anti-monarchy, anarchy, 
revolution, anti-establishment, violence and anti-government activity. The modern 
meaning of the word only emerged after the Second World War when terror was 
used to describe the anti-colonialistic, nationalistic and separatist revolts that 
were typically violent. 
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1. Defining Terrorism 

An expert on terrorism, Alex P. Schmid, made an attempt to provide a 
broad definition of terrorism when he examined over a hundred definitions in 
1984, and came up with 23 different characteristics that appeared in these 
definitions. The five most frequently occurring ones were (1) violence and force; 
(2) political; (3) fear and terror emphasized; (4) threat; (5) (psychological) effects 
and (anticipated) reaction. The United Nations in the 1970s tried in vain to come 
to an agreement on what was and what was not terrorism. Many of its members 
held the view that struggles against occupation or oppression, or struggles for 
liberation, freedom or independence, even if they include acts of violence, should 
not be considered as terrorism [Hoffman, 1999]. Fueling the debate further is the 
media, who have been inconsistent in their description of events. [Crenshaw, 
1995] suggested a reason for the difficulty in defining terrorism is that terrorism is 
a political label. Thus to label a group or act as “terrorist” effectively places a 
moral judgement on it, denies it political status, acceptance or recognition, and 
frames the consciousness of the masses. 

In the light of the many events since the 1970s that involved all if not more 
than the five characteristics mentioned, the United Nations Office on Drugs and 
Crime (UNODC) has since adopted an academic consensus definition provided 
by Alex P. Schmid in 1988: 

Terrorism is an anxiety-inspiring method of repeated violent action, 
employed by (semi-) clandestine individual, group or state actors, 
for idiosyncratic, criminal or political reasons, whereby - in contrast 
to assassination - the direct targets of violence are not the main 
targets. The immediate human victims of violence are generally 
chosen randomly (targets of opportunity) or selectively 
(representative or symbolic targets) from a target population, and 
serve as message generators. Threat- and violence-based 
communication processes between terrorist (organizations), 
(imperiled) victims, and main targets are used to manipulate the 
main target (audience(s)), turning it into a target of terror, a target of 
demands, or a target of attention, depending on whether 
intimidation, coercion, or propaganda is primarily sought. 
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The short legal definition proposed by the same author in 1992 defined an 
act of terrorism as “the peacetime equivalent of a war crime”, since it is generally 
agreed that terrorists are known by a refusal to be bound by international rules of 
warfare and codes of conduct. However, the validity of this short form is now 
somewhat uncertain with a blurring of the lines between wartime and peacetime 
actions, especially with “the war against terror” undertaken by the U.S. military 
and its allies in Afghanistan and now Iraq. The U.S. Homeland Security Act of 
2002 defined terrorism as follows: 


The term “terrorism” means any activity that— 

(A) involves an act that— 

(i) is dangerous to human life or potentially destructive of 
critical infrastructure or key resources; and 

(ii) is a violation of the criminal laws of the United States or 
of any State or other subdivision of the United States; and 

(B) appears to be intended— 

(i) to intimidate or coerce a civilian population; 

(ii) to influence the policy of a government by intimidation or 
coercion; or 

(iii) to affect the conduct of a government by mass 
destruction, assassination, or kidnapping. 

The agencies of the U.S. government continue to provide their own 
definitions of terrorism, each reflecting their organizational characteristics and 
focus: 

The unlawful use of force or violence against persons or property to 
intimidate or coerce a government, the civilian population, or any 
segment thereof, in furtherance of political or social objectives. 

(U.S. Federal Bureau of Investigation) 

The calculated use of violence or the threat of violence to inculcate 
fear, intended to coerce or intimidate governments or societies as 
to the pursuit of goals that are generally political, religious or 
ideological. (U.S. Department of Defense) 

Premeditated, politically motivated violence perpetuated against 
noncombatant targets by subnational groups or clandestine agents, 
usually intended to influence an audience. (U.S. State Department) 


7 



2. Motivations of Terrorism 

There are probably as many motivations for terrorism as there are 
definitions. The three most common motivations are political, religious, and 
ideological. Of these, political motivation is the most prominent as it features in 
most definitions of terrorism. [Crenshaw, 1981] suggested that the direct causes 
of terrorism are unjust discrimination, a lack of opportunity for political 
participation, elite dissatisfaction, and precipitating events. The first factor stems 
from grievances experienced by one subgroup in the population, such as an 
ethnic minority, due to unequal rights or the desire to gain a separate, 
independent state. Grievances alone do not generate terrorist reactions, but they 
are more likely to occur if the discriminations are deemed to be unjust, and if 
violence is considered as a viable means to redress the situation. Regimes that 
suppress opportunities for political participation, either by denying access to 
power or by persecuting dissidents, are bound to create dissension. In such 
situations are the seeds for revolutionary terrorism sown. Terrorism is also likely 
to occur when the young elite find themselves at odds with society and its 
general passivity. Student unrest is one such example of elite dissatisfaction, and 
may lead on to terrorist incidents. The last factor cited by Crenshaw derives from 
instances such as the use of unexpected and unusual force in response to 
protest or reform attempts by the government. This excessive use of force has 
created notable terrorist groups, such as the Irish Republican Army (IRA) and the 
Red Army Faction (RAF) of West Germany. 

Although the September 11 attacks were confined to New York and 
Washington D.C., airport security was immediately tightened not just in the U.S. 
but also in many parts of the world. As acts of political violence, the ramifications 
extend beyond the immediate target of violence, usually affecting the wider 
audience of the local population, and in many instances across national borders. 
This wide-reaching impact of terrorism serves as a strong motivation for terrorists 
[Post, 1998]. A terrorist group also needs to commit acts of violence as that has 
become what is necessary for the group to justify its existence. At the same time, 
it will deliberately steer away from any claims of success in achieving its 
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espoused causes. This avoidance of success is paradoxical - while the objective 
is the cause, success can take it away, as once a terrorist group has achieved its 
objective, it would have nothing left to fight for. 

[Whittaker, 2001] cites three other possible motivations of terrorism: 
rational, psychological and cultural. The rational motivation requires a business¬ 
like approach which considers cost-benefit analysis and risk analysis as a critical 
part of the thought process. An error of judgement could lead to the demise of 
the group itself. Psychological motivation encompasses the true believer of a 
cause, one who needs to belong to a group. At the same time, the group 
imposes a polarized “us versus them” outlook, with “them” as the evil ones, 
thereby justifying any violent action taken by the group. Moreover, a terrorist 
group must terrorize, if anything else to ensure continued self-esteem and 
worthiness of their label. Motivations for the cultural category deal with responses 
to threats against ones own existence. If a people feel that their ethnicity, 
religion, culture, language or even way of life is being suppressed or threatened 
by external influences, they may be prepared to resort to actions amounting to 
violence to ensure their survival. This will be especially so if their perception of 
the threat is such that they think it will capitulate in the face of violent action, they 
will press ahead to the results that they seek. 

3. Terrorists and Cyberspace 

Web sites are posted by various terrorist groups for specific purposes. 
Some like jehad.net and aloswa.org were set up by Al Qaeda supporters to show 
support for Osama bin Laden, while others like 7hj.7hj.com teach the use of 
hacking to serve Islam [Ashley, 2003]. The Hizbullah were known to operate 
three sites as at February 1998: hizbullah.org served as the central press office, 
moqawama.org described its attacks against Israel, and almanar.com.lb provided 
news and information [Denningl, 2000]. Many others are listed in [Thomas 
2003], the most notable of which is alneda.com which features international news 
on Al Qaeda, and purportedly contains encrypted information leading to more 
secure sites. [Thomas, 2003] also describes the use of the Internet for 
cyberplanning to support the terrorist cause through Web publicity, propaganda, 
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research and information gathering, recruitment, planning and coordination. 
Specific activities include the use of the Internet for profiling, hiding identities, 
raising money, recruiting, information gathering, disrupting businesses, as well as 
for command and control, communications, propaganda and mobilization. 

Initiating attacks in cyberspace may be a natural progression for terrorists. 
The final instructions from Mohammed Atta before the September 11 carnage 
reportedly went as follows [Thomas, 2003]: 

The semester begins in three more weeks. We’ve obtained 19 
confirmations for the studies in the faculty of law, the faculty of 
urban planning, the faculty of fine arts, and the faculty of 
engineering. 

In hindsight, one can now postulate that the 19 “confirmations” refer to the 
hijackers and the 4 faculties mentioned could either refer to the 4 aircraft to be 
used in the attack, or the 4 targets. 

The value of the Web is so well acknowledged that almost every known 
terrorist group has a Web site. They cannot even be forced off, as they can either 
go to countries with broad free-speech laws, or take advantage of service 
providers who are unaware of their existence. For example, alneda.com was first 
hosted in Malaysia, subsequently in Texas and then Michigan, before being shut 
down in June 2002 [Denningl, 2000; Thomas, 2003]. 

Electronic mail alongside cell phone surveillance has provided the U.S. 
FBI and CIA with valuable Intelligence. Reportedly, many Al Qaeda trainees were 
lax when it came to operational security pertaining to electronic mail and cell 
phones. Added to that was the use of the weaker 40-bit encryption or no 
encryption at all in their electronic mail or stored electronic documents, exposing 
them to eavesdropping and capture [Dunnigan, 2002]. In spite of these setbacks, 
it is evident that electronic mail - encoded, encrypted or otherwise - is a critical 
component of communications for many terrorist groups. 
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B. 


WHAT IS CYBERTERRORISM? 


Cyberterrorism is the convergence of cyberspace and terrorism. 

Dorothy E. Denning (2000) 

On October 21, 2002, in what was touted as “the most sophisticated and 
large-scale assault against these crucial computers in the history of the Internet”, 
nine out of the Internet’s thirteen core domain name servers were attacked for an 
hour with an overwhelming stream of traffic, effectively shutting them down. 
Fortunately, there was no appreciable impact on the Internet itself since the 
critical information stored on those domain name servers was cached in 
thousands of other servers around the world [Sullivan, 2002; Wired News, 2002]. 
But immediately after the attack, some warned that larger attacks were in the 
pipeline, and questioned if the Internet infrastructure was adequately robust to 
withstand similar if not worse attacks in future. 

In September 2003 the Al-Farouq Web site, which is purported to be 
directly affiliated to Osama bin Laden’s Al Qaeda, published a book on one of its 
Web sites entitled “The 39 Principles of Jihad”, or more specifically, the 39 
principles of Al Qaeda’s Jihad. Jihad, which literally means a struggle in the 
name of God, is also closely associated with holy war. This is reflected in the “39 
Principles”. What is of particular interest are calls for followers to utilize the 
availability of modern technology to spread the message of their cause, including 
Internet Web sites and forums, and telecommunication tools such as SMS (smart 
messaging systems). In addition, the followers were called to “Perform electronic 
Jihad” by making use of their skills to “destroy American, Jewish and secular 
Web sites as well as morally corrupt Web sites” [Leyden, 2003]. 

These examples illustrate the problems in dealing with cyberterrorism. In 
the first example, denial-of-service attacks showed that while there were those 
who sought to disrupt if not disable the Internet, the identity of the perpetrators 
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and the real motives behind the attack were unknown. Was it the work of several 
teenage whiz kids out to test their cyber skills, or a group of terrorists seeking to 
further their cause? Nor was it clear why the attacks came to a sudden halt after 
an hour. Some speculated that this was only a test run and that larger attacks are 
to be expected. Others suggested that the attackers stopped after realizing that 
the attacks did not have the intended effect. Perhaps it was the work of some 
good Samaritans who wanted to send a warning sign to the DNS operators to 
secure their systems properly, since that was what several of the operators have 
done following the incident [Wired News, 2002]. In the second example, one of 
the most notorious terrorist groups today is advocating the use of cyberspace as 
a means to further their cause, but the call is directed at defacing Web sites at 
worst. Significantly, there is no mention of using the Internet to achieve violence 
and destruction, although these people likely are planning such activities. 

1. Defining Cyberterrorism 

In the testimony to the Special Oversight Panel on Terrorism, [Denning2, 
2000] defined cyberterrorism as: 

Cyberterrorism is the convergence of terrorism and cyberspace. It 
is generally understood to mean unlawful attacks and threats of 
attack against computers, networks, and the information stored 
therein when done to intimidate or coerce a government or its 
people in furtherance of political or social objectives. 

Denial of service attacks are clearly unlawful attack against computers, 
but it is not often known if the objectives are political or social. But Web sites 
sponsored by terrorist organizations are more apparently political and would 
therefore seem to conform to a cyberterrorist’s tactics. This definition is also 
echoed by J.T. Caruso of the U.S. FBI, in his testimony before House 
Subcommittee on National Security, Veterans Affairs and International Relations 
on March 21, 2002: 

Cyberterrorism - meaning the use of cybertools to shut down 
critical national infrastructures (such as energy, transportation or 
government operations) for the purpose of coercing or intimidating 
a government or civilian population. 
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Many examples of cyberterrorism in the media seem to be derived from 
the definitions above. A 2001 Business World report listed as examples of 
cyberterrorism [Yam, 2001]: 

• defacement of U.S. Web sites after the April 1, 2001 collision between 
a Chinese jet fighter and a U.S. surveillance plane; 

• theft of information from the U.S. Department of Defense computers 
regarding U.S. troop movements, by Dutch hackers during the 1990-91 
Persian Gulf War (the hackers tried to sell the information to the Iraqis 
but the Iraqis thought it was a hoax); 

• penetration of computers at a U.S. Air base in Guam by a 15-year old 
Croatian youth. 

However these examples would not satisfy the follow-on to Denning’s 
definition above: 

Further, to qualify as cyberterrorism, an attack should result in 
violence against persons or property, or at least cause enough 
harm to generate fear. Attacks that lead to death or bodily injury, 
explosions, plane crashes, water contamination, or severe 
economic loss would be examples. Serious attacks against critical 
infrastructures could be acts of cyberterrorism, depending on their 
impact. Attacks that disrupt nonessential services or that are mainly 
a costly nuisance would not. 


With this qualification, it would seem that the many examples cited by the 
media have been misleading. Some have argued that there have been no acts of 
cyberterrorism to date precisely because of the above prerequisites. 
Interestingly, the National Strategy to Secure Cyberspace, a document released 
by the Bush Administration in February 2003 to provide a framework for the 
protection of the national Information Technology Infrastructure, makes no 
mention of cyberterrorism, cyberterror or cyberterrorists. Instead, more generic 
terms like cyber attacks and cyber threats are used. Likewise the Center of 
Strategic and International Studies chose to use the terms Tactical and Strategic 
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Information Warfare rather than cyberterrorism [CSIS, 1998]. For the purposes of 
unambiguity within this thesis, Denning’s full definition will be adopted. 

2. Cyberterrorist “Camps” 

The different views on cyberterrorism can be broken down to fundamental 
issues. We see disagreements about basic definitions of cyberterrorism, the 
threats that it poses, its utility to the terrorists, and its effects if played out. Any of 
these will lead to a different perspective on cyberterrorism. For the purposes of 
description and analysis they have been split into different “camps”. 

The first camp belongs to the “death-knell” who warn that it is only a 
matter of time before a cyberterrorist attack happens. Since most countries and 
other non-state adversaries know that they cannot match the US in the 
conventional military realm, cyber warfare is an increasingly viable alternative. 
This is accentuated by the growing reality that in many countries, their most 
valuable assets are in electronic storage and not their treasuries. With the 
information revolution, it has become easier to obtain the technical wherewithal 
to conduct IW activities using widely available commercial software and 
hardware. In addition, the Internet has provided a convenient and wide-reaching 
means for hacktivism - a fusion of hacking and activism - and other hacker 
activities. Each year, there are tens of thousands of computer attacks against the 
Pentagon. IW specialists estimate that with a budget of no more than $10 million, 
a well prepared and coordinated attack by fewer than 30 computer hackers 
strategically located around the world could “bring the United States to its knees”, 
shutting down everything from power grids to air traffic control centers to 
emergency services. The basis for this assessment was probably made from the 
experience drawn from Exercise ELIGIBLE RECEIVER in 1997, in which a Red 
Team pretending to be North Korea was formed to carry out computer attacks 
against various government sites using hacking tools freely available from some 
1900 Web sites on the Internet. Not only did they succeed in bringing down many 
key command-and-control systems, only 4 percent of those targeted were aware 
they were being attacked, and of these just 1 in 150 reported the intrusions to 
their superiors [CSIS, 1998]. The recent Slammer worm stopped Internet trading 
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activities of the South Korean stock exchange [Tullett, 2003]. Had a similar worm 
been planted by the North Korean military to subvert the South Korean defenses 
prior to a hypothetical invasion, the results could have been devastating for the 
South. Paradoxically, the goal of the “death-knell” camp is to ensure that its 
prophecies are never realized; actions taken as a result of the warnings should 
deny or at least reduce the probability of success for cyberterrorists. 

The second camp comprises the “improbable” who believe that terrorists 
are more interested in physical violence and do not have the wherewithal to carry 
out sophisticated cyber attacks. So long as physical violence and destruction 
continue to draw publicity, fear and the appropriate public responses that feed 
their cause, there is little reason for a change of methods. A 1999 NPS study on 
the prospects and implications of cyberterror found that the ability of a terrorist 
group to carry out cyberterrorist attacks depended on firstly, the group’s 
predilections toward cyberterror, and secondly, its means to do so [NPS, 1999]. 
The first requirement is not a given, since there are groups that prefer to stick to 
the more traditional means of physical destruction and violence. The second 
requirement implies a steep information technology learning curve that would 
take several years of effort for those groups that choose to develop an internal 
capability before any attacks can be effectively made. The combination of these 
two requirements significantly narrows the probability of cyber attacks by many 
terror groups. Some within the “improbable” camp think that the Internet is more 
likely to be used as a tool for cyberplanning than for out-and-out cyberterrorism 
[Thomas, 2003]. 

Thirdly there is the “nothing new” camp who claim that cyberterrorism is 

plain old terrorism executed in a different realm. Those in this camp distinguish it 

by calling it technology-enabled terrorism [Lang, 2002] or information terrorism 

[Devost et al, 1996]. While there is no doubt that the threats posed by 

technology-enabled terrorism are real, the contention is that they are no different 

from the more well-known forms of terrorism. In the case of technology-enabled 

terrorism, however, protection must be commensurate with the nature of the 

threat. Thus, network security measures, intrusion detection systems, encryption 

15 



and the like against electronic and network attacks are in order. One argument 
against cyberterrorism being merely terrorism in a different guise is whether 
cyberspace introduces new threats where there were none. A frequently cited 
example is SOLAR SUNRISE: in February 1998, two teenagers from California 
and one from Israel disrupted possible troop deployments to the Gulf when they 
launched attacks against the Pentagon’s systems, NSA, and a nuclear weapons 
research lab using a well-known operating system vulnerability [CSIS, 1998; 
Denningl, 1999]. While these three teenagers did not have terrorist intent, the 
means and potential damage that could have been caused are no different from 
what a cyberterrorist might attempt. 

The “cry wolf camp assert that threats have been exaggerated since 
there have been no known acts of cyberterrorism to date, and certainly none of 
the scale that was seen on September 11, 2001. The Symantec Internet Security 
Threat Report covering January to June 2003 covered details of malicious code, 
Win32 viruses, the Slammer and Blaster Worms, spam activity, but made no 
mention of cyberterrorism or even terrorist-related cyber activities [Symantec, 
2003]. Indeed, some have argued that the hype surrounding cyberterrorism is 
perpetuated by vendors for commercial gains. In addition, the more common 
forms of cyberspace attacks, such as Web site defacement, denial-of-service 
attacks, Internet fraud, and scams, do not kill people or destroy property the way 
terrorist attacks do [Love, 2003]. 

Finally, there is the “realisf camp who advocate that the real cyber threats 

are not from terrorists but criminals who commit cybercrimes. This thinking is 

borne from statistical evidence which show that most of the illegal activities stem 

from scams, frauds, identity theft, credit card theft, as well as hackers who are 

not in it for the money. In November 2003, the London Financial Times reported 

that hackers were exploiting computer vulnerabilities to carry out cyber extortion 

against online businesses. By carrying out distributed denial-of-service (DDoS) 

attacks, they were able to bring down the sites of their targets and threatened 

more attacks unless the businesses paid up. The reality is that the rate at which 

new Web sites are created - more than one every four seconds - makes the job 
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of law enforcement in cyberspace difficult. This is aggravated by the fact that the 
retention of computer talent in government agencies is constantly being 
threatened by the monetary lure of the private sector [CSIS, 1998]. 

While it is clear that there are different views on the threat posed by 
cyberterrorism, they all tend to agree that some form of threat exists, even if they 
disagree in its degree. They also agree that the targets are rife and attractive. 
Perhaps the question that needs to be answered is not what is the degree of the 
threat, but what has been or needs to be done to mitigate, address, counter, 
combat the threat. 

C. THE CYBERTERRORISM THREAT 

1. Motivations 

In the section on terrorism, we saw that the main motivations for terrorism 
were political, ideological or religious. If cyberterrorism were truly a convergence 
of terrorism and cyberspace, then the same motivations would apply for 
cyberterrorism, albeit in a different medium. Many of the Web sites set up by 
terrorist groups serve the objectives of politics, ideology or religion. 

Indeed, cyberspace provides certain advantages over a physical medium. 
For a start, it offers to cyberterrorism the benefit of remote and anonymous 
operations. It also avoids the need for handling physical weapons and 
explosives, and the attendant risk of spectacular failure of botched attempts 
when bombs explode prematurely. Cyberterrorist attacks are also likely to reap 
as much publicity as physical attacks [Denning2, 2000]. Additionally, cyberspace 
has enabled small players to create massive disruption, as for example through 
the creation and release of the ILOVEYOU and Nimda viruses or the more recent 
Blaster worm. This means that terrorists groups can get onto the world stage and 
create disruption and destruction on a scale that belies their size [CSIS, 2001]. 

Cyberspace attacks are not without disadvantages. Those viral or worm 
attacks that have had great reach were the result of the attacks going out of 
control; it may be difficult for cyberterrorists to control their attacks to inflict the 
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desired level of damage. Cyber attacks are probably less responsive to the 
whims of the terrorist leaders than physical attacks due to the lead time required 
to study the networks and gain access. Finally, as pointed out by the 
“improbable” camp above, a strong counter-motivation would be the 
effectiveness of tried and tested methods. It may still be easier to destroy a 
building with a car bomb than to take out all its computers with denial-of-service 
or worm attacks. This could well be the reason why little has been happening in 
comparison at the cyberterrorist front. 

2. Actors 

The existence of different cyberterrorist “camps” and forms of cyber 
attacks suggests that there may be more than just one type of cyberterrorist. 
Moreover, the nature of the medium enables cyberterrorists to be quite different 
from typical terrorists. Here we examine four possible categories of 
cyberterrorists and assess their threat. 

Many of the well-known viruses such as the Morris worm, the ILOVEYOU 
virus, and the Chernobyl virus that have plagued cyberspace were the work of 
individuals. Recent history has also seen the likes of individuals who have 
created widespread damage, fear, and psychological trauma among the 
population, such as Ted Kaczynski (The Unabomber), Tim McVeigh (Oklahoma 
City Bomber) and John Muhammed (Washington D.C. sniper). Put the two types 
of individuals together and we get lone cyberterrorists. Many virus writers do so 
for the adventure and intellectual challenge, not for the sake of creating havoc 
[Denningl, 1999]. Moreover, the damage created by viruses and worms tend to 
be economic in nature, and have not cost human lives. As such, a lone 
cyberterrorist is more likely to be a Kaczynski or McVeigh with relevant computer 
skills, rather than a hacker or virus writer intent on killing others. Given a lack of 
precedents, the threat of a lone cyberterrorist appears to be low, but not 
improbable. 

A small group of technically-skilled extremists could combine their abilities 

to create a well coordinated cyberterrorist operation. The Japanese Aum 

Shinryko cult were so well-developed in their software capabilities that they acted 
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as the software subcontractors to companies that were awarded contracts by the 
Japanese government. By the time the link was discovered in March 2000, the 
cult had already been receiving classified tracking data on Japanese police 
vehicles [Denning2, 2000]. Such groups may be considered to be a greater 
cyberterrorist threat than lone cyberterrorists because they have proven their 
ability to carry out such acts. In the case of the Aum Shinryko cult, they had 
already been found guilty of the Tokyo subway attack that killed 12 and injured 
6000 others. Now their software abilities suggest that it would not take much for 
them to translate their violent goals to the next level in cyberspace. 

Large religious terrorist organizations such as Al Qaeda with a track 
record in physical violence are another category that may embark on the 
cyberterrorism route. As it is, most of them have a presence in cyberspace and 
have even advocated electronic Jihad. [Ashley, 2003] measured the Al Qaeda 
cyber threat against the Defense Intelligence Agency threat-analysis 
methodology based on the existence, capability, intentions, history, and targeting 
of the threat and concluded that Al Qaeda posed a critical cyber threat to the 
U.S. However, a potential shortcoming in this assessment is that Al Qaeda does 
not have a proven cyber capability, notwithstanding that Qsama bin Laden had 
boasted of the existence of “Muslim scientists” among his strike force. While it 
may only be a matter of time before they strike, the cyber threat currently posed 
by Al Qaeda and similar groups may not be any more imminent compared to the 
previous category. Judging from the number of recent bombings attributed to 
such religious fundamentalist groups, and the technologically unsophisticated 
nature of the bombings, it would seem that they continue to favor the traditional 
methods. 

The final category belongs to information-warfare groups that are 

sponsored or backed by hostile governments. There are at least two levels of 

information-warfare groups, each with differing capabilities and origins. At the 

official level there are cyberwarfare units formed by governments to attack 

enemy information systems, as well as to protect their own. A report on the 

military power of the People’s Republic of China [IWS, 2003] cited the presence 
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of “Special information warfare units [that] could attack and disrupt enemy C4I, 
while vigorously defending PRC systems.” Strictly speaking they are not 
cyberterrorist outfits, but the scale and degree of harm that they were created to 
inflict are similar. These government units are restrained in peacetime by 
international treaties and therefore cannot openly carry out vulnerability scans of 
an adversary’s systems, for example. The same report also hints at the presence 
of Nationalistic hackers who form an unofficial organizational level. These are 
self-declared patriots who take it upon themselves to attack the information 
systems of other countries when they are in conflict. But the Chinese are not 
alone. [Dunnigan, 2002] reports widespread hacking by Russians, Taiwanese, 
Israelis, Indians, Pakistanis and Americans following international incidents such 
as those mentioned in the previous section. Many of these hackers contravene 
their own national laws when they carry out such activities, but often they are left 
alone by their governments so long as their activities fall in line with “national 
interests.” [Devost, 1995] suggested the employment of hackers as a national 
resource because they have the requisite skills for attacking an adversary’s 
information systems. Some evidence exists to suggest the presence of a third 
level sitting between the first two. In 2001, Taiwan allegedly unleashed several 
viruses against China but the viruses spread around the world. Taiwan has not 
admitted to these incidents [Dunnigan, 2002], but the scale and targets of the 
apparently anonymous attacks suggest that clandestine groups are operating 
with covert government links. This middle clandestine level appears to pose the 
most significant threat because they have many of the resources of the official 
groups and the freedom of action of the outlaw hackers. 

3. Targets 

In the Second World War, strategic bombing targeted the weak belly of the 
adversary, focusing on population and industrial centers in an effort to 
demoralize the frontline troops and undermine their war-making machinery. The 
information technology revolution and improved military technology have made 
possible precision bombing and targeting, thereby reducing significantly the 
killing of innocent civilians and the associated political backlash. However, the 
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information technology revolution has also shifted the balance of power to the 
commercial sector, as far as innovation, development, resources and the state- 
of-the-art are concerned. Thus it would seem that in the age of cyber warfare, 
attackers are now drawn towards those who rely heavily on information 
technology, or who would have much to lose by being denied it. In this case, the 
commercial sector would be as lucrative a target as the government. The 
frontline in cyber warfare has shifted back to the population and new industrial 
centers of information technology. 

Computers, computer servers and computer networks are usually 
considered the targets of cyber attacks. As the October 2002 attack on the nine 
core Internet domain name servers showed, such attacks have indeed taken 
place and this scenario is therefore not unthinkable. In these denial-of-service 
(DoS) attacks, target computer servers are flooded with more messages than 
they can effectively handle, thus denying service to genuine users. In some 
cases such as distributed denial-of-service attacks, the flooding is from the 
accumulation of messages from many other “zombie” servers on which malicious 
programs had been secretly planted to make them collaborators in an illegal 
activity unbeknownst to them. One of the most spectacular attacks occurred 
between 7-9 February 2000 when a massive attack crippled popular Web sites 
like Yahoo.com, Amazon.com, CNN.com, ETrade, and EBay. During that period, 
it was estimated that average surfing times were delayed by 26 percent on 
average, due to the additional traffic on the Internet as result of the attacks 
[Dunnigan, 2002]. These zombie servers could be considered both as targets 
and weapons of the cyber attack, as they first needed to be targeted for 
“conversion” before they became part of the attackers’ arsenal. 

Many cyberterrorism scenarios involve disabling the Internet or at least 

disrupting a significant portion of it. Notwithstanding that it will involve massive 

amounts of resources, coordination and know-how, disabling the Internet would 

surely cripple the communications means by which many organizations and 

agencies do their business and is therefore a high-payoff target. However, 

cyberterrorists who seek to disable the Internet must surely know that it would 
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also disable their means to carry out further cyber attacks. So such scenarios 
should perhaps be refined to paint the Internet as the last thing to go down, not 
the first. 

The cyberterrorism threat is not easily detected or anticipated. At best it 
can be deterred; at worst the system will have to absorb the first blow and 
recover quickly. Some scenarios suggest retaliation, but it is often difficult to 
determine the attacker and there may be associated legal issues. 

4. Understanding the Threat 

The gravity of the cyberterrorism threat may be measured from two parts; 
the vulnerability of targets which if exploited could lead to violence, physical 
destruction or death, and the ability and motivation of terrorists to carry out such 
attacks [Denning2, 2000; NPS, 1999]. There are many scenarios in which 
attacked information infrastructures can lead to destruction and death. For 
example if the computer systems of an air traffic control system (ATCS) are 
hacked into and manipulated, it could result in a collision of aircraft in mid-air. 
Following FBI reports of Al Qaeda members researching information on the 
Supervisory Control and Data Acquisition (SCADA) infrastructure which manages 
U.S. water and wastewater systems, new scenarios emerged with terrorists 
taking remote control of such systems and releasing dammed water onto civilian 
populations downriver [Ashley, 2003]. Other scenarios feature a blending of 
cyber attacks with physical ones (bombs or attacks on critical infrastructure). For 
example, a large or “dirty” bomb could be detonated in a crowded marketplace 
with the ability of emergency teams to respond hindered by a power and 
telecommunications failure caused by the cyberterrorist wing of the terrorist 
group. ELIGIBLE RECEIVER and SOLAR SUNRISE have shown that certain 
critical infrastructures could be susceptible to such incidents. 

The second part of cyber threat assessment deals with the ability of 

terrorist groups to carry out cyber attacks. Of the four types of actors mentioned, 

the first three have a proven propensity for wanton and indiscriminate violence. 

That this has not occurred in cyberspace suggests that they either lack the 

means or will to do so. However, this state of affairs cannot be relied upon as the 
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terrorist ranks are gradually filled with newer and younger recruits who have 
grown up with information technology. A more sinister threat of cyberterrorism is 
when cyber attacks carried out by any of the actors remained undetected. Those 
attackers that are discovered either lack sophistication or are too disorganized to 
conduct any coordinated attack. The more serious threats are likely unseen, 
complex and distributed. Attackers could conduct covert reconnaissance for 
years to ascertain critical information assets before execution of actual 
operations [CSIS, 1998]. Some have called this the new terrorism [Gordon & 
Ford, 2002]. In this scenario, Web site defacements, hacktivism and hacking 
intrusions are probably only the tip of the iceberg. 

5. Combating the Threat 

As [Betts, 2001] concluded on whether there will be another catastrophic 
Intelligence failure like September 11, it is a question of when, not if. So it is just 
as important to prepare to manage the damage as it is to prevent it. The Defense 
Science Board suggests that “deterrence in the information age is measured 
more in the resilience of the infrastructure than in a retaliatory capability” [CSIS, 
1998]. 

Cyberterrorism needs to be fought with the same breadth of measures 
and intensity accorded to terrorism. Hence there is a need for an appropriate 
framework for law enforcement and intelligence gathering to thwart the efforts of 
cyberterrorists. In the U.S., initiatives include the FDD 63 (President Decision 
Directive), the establishment of the NIPC (National Infrastructure Protection 
Center), the ISACs (Information Sharing and Analysis Centers) for the private 
sector owners of critical infrastructures, and Infragard, a community of 
professionals with an interest in protecting their information systems [Rodgers, 
2003; CSIS, 2001]. This year, the Bush Administration released the National 
Strategy to Secure Cyberspace document to consolidate the U.S. government’s 
commitment to fight cyberterrorism and other cyber threats. Singapore has 
recently enacted a cyber law akin to the American Patriot Act that would enable 
the authorities to initiate pre-emptive action against hackers in Singapore and 
seek Interpol’s assistance for hackers overseas [STI, 2003]. The enactment of 
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such laws is not without objections. There are outcries by the libertarian 
groups who feel that such powers are too 

wide-ranging and can lead to a significant loss of electronic privacy. They also 
question the availability of checks and balances to ensure restraint and prevent 
abuse by the authorities. 

Other methods of combating cyberterrorists involve the use of honeypots 
and software decoys. The former collects data to better understand the 
techniques employed by computer intruders, while the latter seeks to provide 
additional layers of protection against them. Both of these will be covered in more 
detail in subsequent chapters. 
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III. DECEPTION 


In 149 BC, the famous strategist Kong Ming of Shu, launched an 
attack against the state of Wei by sending an advance force to 
scout for the enemy. Leading the army of Wei was Suma-I who also 
sent an advance force of fifty thousand troops. The two vanguards 
met and engaged in battle but the Wei forces were superior and 
won the day. The defeated Shu vanguard raced back to the main 
body of Kong Ming's army whose troops, seeing the look of fear in 
the faces of their comrades, thought that the enemy was upon them 
and fled in panic. Kong Ming and a few bodyguards fled to the city 
of Yangping with the Wei army in hot pursuit. Vastly outnumbered 
and unable to either retreat or sustain a siege, Kong Ming played a 
last resort strategy that made him famous throughout China. He 
removed all the guards and battle flags from the walls and had all 
four of the city gates flung open. When Suma-I approached the city 
he could see only a few old men nonchalantly sweeping the 
grounds within the gates. Kong-Ming was seen sitting in one of the 
towers smiling and playing his lute. Suma-I remarked to his 
advisors: “That man seems to be too happy for my comfort. 
Doubtless he has some deep laid scheme in mind to bring us all to 
disaster.” As they stood spell bound, the strains of Kong Ming's lute 
reached their ears and this only heightened their sense of 
foreboding. Such peculiar behavior was too suspicious and, fearing 
a clever trap, Suma-I turned his army back and retreated. After the 
army left Kong Ming and his remaining troops departed in the 
opposite direction and made their way safely back to their capital. 
[Verstappen, 2003] 


A. THE MANY FACES OF DECEPTION - DECEPTION IN ACTION 

1. Deceptions in Nature 

The master practitioners of deception are to be found in nature, since it 
often is a matter of life or death. The puffer fish transforms itself into an enlarged 
ball shape thus giving the impression that it is more than a mouthful to its 
predators; the buff-tip moth’s woody shape and colors makes it look more like a 
broken twig to escape the attention of predatory birds; the hawk moth caterpillar 
inflates the front of its body to look like a snake’s head when confronted with a 
threat; the tasty viceroy butterfly mimics the wing pattern and color of the bitter¬ 
tasting monarch butterfly. Also, the monkey-slug caterpillar grows hairy fake legs 
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that break off harmlessly when bitten by a predator; and the European grass 
snake attempts to deter a predator by puffing itself to look bigger and hissing 
loudly, then plays dead by rolling belly up and hanging its tongue out. 
[Krautwurst, 2001]. 

For these and many other animals, deception is a natural and important 
tactic that could help determine the survival or extinction of their species. 
[Gerwehr & Russell, 2000] proposed several principles of deception based on 
animal biology and behavior. They found that species of all types, including 
plants, use many different types of deception in all kinds of life-supporting 
environments. Deception is also used by both predators and prey. Even minor 
applications can confer selective advantages. 

2. Deceptions in Human History 

All warfare is based on deception. 

- Sun Zi Bing Fa 
(Sun Tzu; The Art of War) 

Human history abounds with stories, anecdotes and legends of deception, 
the most notable of which are in military history. One of the most famous 
historical proponents of deception is the ancient Chinese military philosopher 
Sun Zi, whose writings in the 4**^ Century B.C. clearly advocated the use of guile 
and deception in trying to overcome one’s enemy. The opening story of this 
chapter is but one of the many examples of deception to emerge from the Far 
East, where Sun Zi’s writings had had a great influence [Whaley, 1980]. 

The most well-known ruse in military folklore is probably the Trojan Horse 
in which the Greeks devised a large wooden horse in 1183 B.C. as a means to 
sneak thirty warriors hidden in its belly past the city gates of Troy. The Trojans, 
believing that the Greeks had finally given up after ten years of siege, took the 
horse into the city as a victory trophy. While the Trojans celebrated the night 
away, the thirty Greek warriors emerged from the horse and threw open the city 
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gates for the rest of the Greek forces, which were lying in wait beyond the 
horizon, to conquer the city [Bell & Whaley, 1991]. 

Deception is not uncommon even in the Bible; In Genesis Chapter 27, 
Jacob obtained his father Isaac’s blessings by fraud. As Isaac was old and 
almost blind, Jacob was able to pretend to be his brother Esau by wearing his 
brother’s clothes and made himself hirsute like his brother by covering his arms 
and the smooth part of his neck with the skins of kids. In doing so he deceived 
his father’s sense of smell and touch respectively. In Joshua Chapter 8, Joshua 
devised a stratagem to lure the King and people of Ai away from their city. After 
positioning some thirty thousand troops in a concealed location to the rear of the 
town, Joshua led the rest of his forces in an advance on the town. As Ai’s troops 
came out to engage the enemy, Joshua and his troops bid a hasty retreat, giving 
the impression that they were in disarray. Sensing an opportunity, the King of Ai 
led his troops in pursuit of the falling enemy. Meanwhile, the troops that were 
concealed by Joshua ran out of their ambush to capture the undefended Ai. 

The last century saw the introduction of new weapons and technology 

hitherto unknown in warfare. All the same, these new capabilities gave rise to 

new methods of deception, but with the same effect - misperception and 

surprise. During the Second World War, the Allied Forces conceived a series of 

ambitious and elaborate deception plans code-named BODYGUARD in an 

attempt to conceal the Allies’ plans for the invasion of Normandy. The intent of 

BODYGUARD was firstly to deceive Hitler into dispersing his troops throughout 

Europe so that the Germans did not have sufficient strength at Normandy to 

repel the landings there; secondly to delay German response to the actual 

invasion by confusing their Signal Intelligence and administrative-support 

systems. The deceptions were so successful that two weeks after the landings. 

Hitler was still under the impression that the activities at Normandy were a feint. 

Instead of reinforcing the defenses there, he stubbornly maintained his troops at 

Pas de Calais where he thought the main landings would take place. In the battle 

for the liberation of Kuwait in 1991, the Coalition Forces staged several 

demonstrations by the Navy and Marines to suggest to the occupying Iraqis that 
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the main Coalition attack would come from the Saudi-Kuwaiti border and from the 
sea, thereby fixing the Iraqi divisions to the defense of Kuwait’s southern border. 
The demonstrations included the positioning of a large amphibious task force, 
together with air refueling and various training activities in the Persian Gulf off 
Kuwait. These activities were further reinforced by the absence of air attacks at 
the Western front where the main attacks were going to take place. Operations 
conducted by Special Forces added to the Iraqi confusion on the source of the 
main attacks [Joint, 1996]. 

B. DEFINING DECEPTION 

In one definition, deception is simply the “distortion of perceived reality” 
[Whaley, 1982]. But as seen in the previous paragraphs, there are many faces to 
deception, which makes an overarching definition difficult. Note how the following 
definitions derive from their different perspectives: 


The military perspective [Joint, 1996] - military deception is defined 
as being those actions executed to deliberately mislead adversary 
decision makers as to friendly military capabilities, intentions, and 
operations, thereby causing the adversary to take specific actions 
that will contribute to the accomplishment of the friendly mission. 

The Intelligence perspective [Shulsky & Schmitt, 2002] - deception 
is the attempt to mislead an adversary’s intelligence analysis 
concerning the political, military, or economic situation he faces, 
with the result that, having formed a false picture of the situation, he 
is led to act in a way that advances one’s interests rather than his 
own. 

The theoretical perspective [Whaley, 1982] - deception is 
information designed to manipulate the behavior of others by 
inducing them to accept a false or distorted presentation of their 
environment - physical, social or political. 

The “historical” perspective [Carr, 2000], from Sun Zi Bing Fa - 
when able, seem to be unable; when ready, seem unready; when 
nearby, seem far away; and when far away, seem near. If the 
enemy seeks some advantage, entice him with it... If he is strong. 
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evade him. If he is incensed, provoke him... Attack where he is not 
prepared; go by way of places where it would never occur to him 
you would go. 

A common characteristic among these definitions is the notion of 
misperception. This will be elaborated further in the next section. 

1. Taxonomy of Perception 

[Whaley, 1982] developed a general theory of deception on the basis that 
deception is a matter of misperception. For this, he proposed a taxonomy of 
perception, as shown in Figure 1, to show the relationships between perception, 
misperception and deception. 



Figure 1. A Taxonomy of Perception (After [Whaley, 1982]) 


The taxonomy distinguishes between the other-induced and self-induced 
misperception, as well as between deliberate and non-deliberate acts. Self- 
induced acts are also known as delusion while non-deliberate or unintentional 
acts are considered misrepresentations. For deception to take place, the act 
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must be a deliberate one, with a specific intent and effort on the part of the 
deceiver, with the purpose of inducing a misperception by the victim. 

2. Structure of Deception 

A different structure of deception was also proposed by Whaley in 
[Whaley, 1982] as comprising simulation (showing the false) and dissimulation 


(hiding the real). 


The Structure of Deception 

Dissimulation 

(Fliding the Real) 

Simulation 

(Showing the False) 

Masking 

(to eliminate an old 
pattern or blend it with 
a background pattern) 

• Concealing one’s 
own characteristics 

• Matches another’s 
characteristics 

Mimicking 

(to recreate an old 
pattern, imitating it) 

• Copies another’s 
characteristics 

Repackaging 

(to modify an old 
pattern by matching 
another) 

• Adds new 
characteristics 

• Subtracts old 
characteristics 

Inventing 

(to create a new 
pattern) 

• Creates new 
characteristics 

Dazzling 

(to blur an old pattern, 
reducing its certainty) 

• Obscures old 
characteristics 

• Adds alternative 
characteristics 

Decoying 

(to give an additional, 
alternative pattern, 
increasing its certainty) 

• Creates alternative 
characteristics 


Table 1. The Structure of Deception (After [Whaley, 1982]). 


Table 1 can be interpreted in several ways. First, it provides a breakdown 
of the two main forms of deception, dissimulation and simulation. Secondly, it 
shows the dependency relationship between the two: for deception to occur, 
simulation cannot exist without dissimulation, because all deception involves 
hiding [Bell & Whaley, 1991]. Moreover, the two main forms are often present 
together in an act of deception. When something is hidden, something else can 
be shown either in its place or elsewhere, thereby inducing the false perceptions 
about what is happening. This duality also applies to the subcategories. Masking 
is present with mimicking, repackaging with inventing, and so on, as shown by 
the horizontal color shadings. Finally, the level of effectiveness of deception 
decreases as one goes down the table. 
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C. THE VALUE OF DECEPTION 

Even with modern technology, deception is valuable. This is because 
deception can act as a force multiplier that offers advantages to either the 
attacker or defender, whether they are strong or weak. 

1. For the Attacker 

Deception can enable an attacker to achieve their objectives more easily. 
The 1991 Persian Gulf War was an instance of a strong attacker (the U.S. led 
coalition forces) against a weak defender (Saddam Hussein’s Iraqi Forces). By 
fooling the Iraqis into believing that the attack would come from the south and 
east, the main attack which came from the west was able to proceed with great 
speed. 

An attack by a weak force is not a typical occurrence in conventional 
warfare, but in the history of deception this is not uncommon. One example in the 
Bible is Gideon’s creation of a dummy force to deceive his enemies [Bell & 
Whaley, 1991]. Technological surprise can also help as evidenced by the famed 
slingshot used by David against Goliath. 

2. For the Defender 

Deception may enable a weak defender to achieve victory without force. 
The story of Kong Ming at the opening of this chapter is one classic instance. 
Deception can also be regarded as a worthy and humane alternative to violent 
conflict. Tactics such as bribing the mercenary officers of the enemy, circulating 
false reports to degrade enemy morale (or boost their own) or fabricating 
treasonable letters to frame enemy commanders enabled the Byzantine empire 
to survive almost a thousand years against the myriad forces that surrounded 
them [Dunnigan & Nofi, 1995]. A strong defender can also benefit from the use of 
deception to take the initiative away from the attacker. Deception could entice the 
attacker to commit his forces at a time and place to the defender’s advantage. In 
early 1944 the British started a massive bombing campaign against reinforced VI 
and V2 missile launchers in Pas de Calais, France. The campaign was 
successful, rendering the sites unusable and the surrounding roads impassable 
to heavy equipment. Although the Germans switched the missile sites to mobile 
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ones for the V2 and easily erectable ones for the V1, Hitler ordered that repair 
work be started on the fixed sites even though there was little hope of ever using 
them. This forced the British to continue to focus their attention and precious 
bomber resources on the fixed sites. The catch was that had the British seen 
through the deception, they might have disregarded the sites and allowed the 
repair work to continue until the sites were actually usable once again [Jones, 
1989]. This was an instance of a feint that served its purpose whether or not it 
was detected as such. 

3. Nesting Deceptions 

Deceptions that are detected could hide a second deception as a form of 
nested deception where one deception is used to hide another. In the Second 
World War, the British commander Brigadier Dudley Clark created A-Force that 
employed a host of trickery in the North African desert, such as tanks that looked 
like lorries and vice versa, and lorries that carried devices to create tank tracks in 
the desert sand. In the battle of El Alamein against Rommel in 1942, Brigadier 
Clark’s A-Force created a string of dummy guns enmassed on the southern front 
of the battle area. However, these were detected as such by the German Afrika 
Korps early in the battle, and were consequently disregarded by the Germans. 
But the dummies were replaced thereafter by real guns which were used to 
support a subsequent attack [Jones, 1989]. 

It is also a common belief that a ruse once used should not be repeated, 
but history is replete with recycled tricks [Whaley, 1987]. In 1864, General 
Sherman marched 180 miles through the eastern Confederacy toward Atlanta 
along a single railway line. Throughout his drive, he was aware that the 
Confederates knew his logistic tail was confined to that single line, and yet he 
was able to repeatedly surprise his enemies as to the time and place of his 
attacks by choosing either the left or right flank of the railway line to attack and 
defeat them [Bell & Whaley, 1991]. 
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D. THE DECEPTION PLANNING PROCESS 

Successful deception starts with a deception plan. [Gerwehr & Russell, 
2000] describe their three-stage deception process as one in which “the ends 
dictate the means.” This is reinforced in [Cohen, 2002] who observed that 
deception plans are driven by the desired effect on the target. [Fowler & Nesbitt, 
1995] proposed six fundamental rules to guide a deception planner towards 
success. The U.S. Joint Doctrine for Military Deception [Joint, 1996] contains a 
six-step deception planning process that requires command involvement and 
approval at each stage of the process. [Whaley, 1982] has suggested a ten-part 
step-by-step planning process for deception to increase the probability of 
success as follows: 

1. Identify the strategic goal 

2. Decide how the target should react 

3. Determine what the target should perceive 

4. Decide what to hide and show 

5. Analyze the pattern for hiding 

6. Analyze the pattern for showing 

7. Design the desired effect with the hidden method 

8. Sell the effect to those who are executing the deception 

9. Decide the communications channels to transmit the deception 

10. The target buys the effect and falls for the deception 

In addition to these ten steps, the deception planner must prepare for 
contingencies in the event that the deception fails. During the course of the 
deception, the planner also seeks feedback to ensure that the target is 
responding in the expected way. 
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E. DECEPTION, INTELLIGENCE AND COUNTER-DECEPTION 

Deception and intelligence failure are closely intertwined because a 
successful deception by one side is usually the result of an intelligence failure by 
the other [Shulsky & Schmitt, 2002], The Second World War deception operation 
BODYGUARD was successful because German intelligence failed to detect the 
Allies’ true intentions. Correspondingly, any deception effort must ensure that the 
sensors in the enemy’s intelligence collection layout are present and capable of 
recognizing the intended ploy (“buying the effect”) while our own intelligence 
collection assets must be deployed to provide feedback on our deception effort. 
This is reiterated in the Joint Doctrine for Military Deception [Joint, 1996] which 
stipulates that intelligence and counter-intelligence are critical for identifying the 
enemy’s decision makers, ascertaining their perceptions and information 
gathering capabilities, as well as assessing reaction to the deception operation. 

Deception is also tightly linked with counter-deception, which refers to the 
detection of deception [Whaley, 1982]. Since it is not possible to hide or show an 
object or event to the “full extent”, incongruities can occur in every deception 
operation. An intelligence analyst need only detect one inconsistency among the 
collected data to sense that something is amiss in the analysis. A cheat’s first 
mistake is probably his last. [Jones, 1989] wrote in 1942 that “No imitation can be 
perfect without being the real thing.” While it is always possible to detect a 
deception in theory, detecting a deception can usually be very difficult. This is 
even more so when it concerns strategic deception, as the counter-deception 
analyst is dealing with intentions or motives at the highest levels [Kam, 1988]. 
Even when incongruities are spotted, it is usually easier to believe that a mistake 
or omission has been made. When the British Secret Service MiG’s Dutch agents 
sent encrypted messages back to headquarters in 1941, they were required to 
include a security check to prove that the message was not spoofed or sent 
under coercion. Unfortunately, the staff officer in charge in London told a “Dutch 
agent” to follow proper procedure and instructed the agent on the use of the 
security check. The Germans who were impersonating the “Dutch agent” were 
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now unwittingly informed about it. This enabled the Germans to continue their 
Nordpol deception operation against the British up until 1944 [Shulsky & Schmitt, 
2002 ], 

Understanding deception itself is a first step towards counter-deception. A 
renowned British practitioner of deception in the Second World War, Dr. R. V. 
Jones, who was an intelligence officer, established two principles for unmasking 
deception [Jones, 1989]: 

(1) in any channel of intelligence through which you may be 
deceived, arrange to work down to a greater level of sophistication 
than your opponent has expected you to adopt, and (2) bring all 
other possible channels of intelligence to bear on the problem, to 
see whether the evidence that they can provide is consistent with 
the evidence in the channel through which you suspect you are 
being deceived. 

It is also possible to employ deception to acquire intelligence. Scouts 
reconnoitering for the enemy sometimes engage in a tactic called “recce by fire” 
to trick the enemy to return fire thereby revealing their positions. A variation of 
this is “fighting fire with fire” in which the adversary’s use of deception is defeated 
by our own use of deception. An example of this in nature is the boomsiang 
snake’s use of its own camouflage to defeat the camouflage of the chameleon. 
When the unsuspecting chameleon forages about in the proximity of the snake, 
its movements reveal the lizard to the predatory snake. 

F. PITFALLS OF DECEPTION 
1. Traps That Backfire 

A deception that is detected could be used against the deceiver. When 
General Navarre’s French garrison secured the mountain top at Dienbienphu in 
1953, he saw it as an opportunity to lure General Vo Nguyen Giap’s Viet Minh 
troops towards his position of strength. But Dienbienphu became a symbol of 
French military prestige worldwide. This had the unfortunate consequence that 
Dienbienphu had to be held at all costs by the French, and a victory by General 
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Vo would have severe political repercussions for the French. The French were 
caught in their own trap as evacuation had also become impossible [Whaley, 
1987], 

2. Active and Passive Deception 

Given the risks associated with deception, practitioners distinguish 
between passive and active deception. Passive deception such as camouflage 
and concealment is the safest and most easily enforced [Dunnigan & Nofi, 1995]. 
Most armies sport battle dress uniforms with disruptive pattern material and 
include camouflage and concealment in their field deployments and tactics. 
Aircraft and ships are also painted to enable them to break their silhouettes and 
better blend against their backgrounds. Special patterns may also be added. 
Stealth technology that is employed in new generation aircraft and ships strive to 
deceive electronic sensors. 

Active deceptions can be risky because they are often unpredictable and 
complex to execute. The Joint Doctrine for Military Deception [Joint, 1996] 
stresses that “deception planners must carefully consider the risks involved 
versus the possible benefits of the deception.” One risk of deception is that once 
detected by the enemy, the deception could be turned against the deceiver if the 
exposure is not known to the deceiver. A second risk pertains to the balance 
between secrecy and exposure; secrecy is needed to prevent dangerous leaks, 
but unaware friendly forces or allies could take action that could lead to 
unintended conflict, errors of judgment and fratricide. Many therefore conclude 
that the risks of active deception are so high that it would be better not to attempt 
it at all. Yet [Whaley, 1987] suggests that this is pessimistic advice. 

3. Legalities 

Another pitfall of deception involves the legality of deception. The Geneva 
Conventions state that the use of camouflage, decoys, mock operations and 
misinformation is permitted, but what is expressly prohibited is the use of perfidy. 
These are acts that, for example, gain the confidence of the enemy into believing 
that surrender would entitle them to protection under the rules of international 
law, when the real intention is to betray that confidence and annihilate them after 

36 



their surrender. But the reality is usually that the space between what is 
permitted and what is not is very grey. Creating decoy missile launchers to fool 
air surveillance is legal, but hiding the real missiles under a Red Cross banner, in 
a hospital building or a national monument is probably not. We could argue in 
this case that the deception is not ethical. Indeed, what is legal is not necessarily 
ethical. Hence deception is sometimes also justified by the outcome. That is, the 
means is justified by the ends when the cost of deceiving is higher than the cost 
of not deceiving. In the animal kingdom, the cost is clear - it is a matter of 
survival. In the human world, it could mean reducing loss of friendly lives if a 
deception operation was successfully carried out. 
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IV. CYBERTERRORISTS AND CYBER DECEPTION 


A. DECEPTIONS IN CYBERSPACE 

A new domain is being used today for human deception: cyberspace. 
Cyber deception has been especially successful because of the tendency of the 
average computer user to trust what they see on the screen to be authentic. A 
recent example of deception in cyberspace occurred in Oct 2003 when a fake 
FBI site sporting authentic FBI logos was discovered to be luring Internet users 
into divulging their bank account numbers [Sullivan, 2003]. In what is known as 
“phishing”, an electronic mail was sent to users with a message seemingly from 
the FBI informing them about a massive theft of debit card numbers. A link was 
given to visit a supposed FBI Web site to key into a form their debit card numbers 
and account balance to check if their account had been compromised in the 
“theft”. In actual fact, both the mail and the Web site were false fronts and instead 
of directing users to https://www.fbi.gov/debit_theft.html as it appeared, they 
were sent to a Web site hosted at fbi.x-web-x.com. The data entered into the 
fake FBI form would then be transmitted to a Russian electronic mail address. 

Phishing is but one of the more recent manifestations of Internet fraud. 
The more common ones include phoney business opportunities, “official” or 
“government” information requests that demand information through 
questionnaires or forms, and investment fraud [Dunnigan, 2002]. The latter 
typically appears in the form of a sender (the crook) looking for an investment 
partner (the victim) to provide a bank account to which a large sum of money 
would be “transferred out” from a foreign account. Through the transaction the 
victim would be rewarded with a commission based on a percentage of that sum 
transferred. The enticement is that this commission usually runs into a large 
amount of money. Other variants involve an opportunity to join an investment 
promising high returns, or a lottery win that requires a bank account to which the 
prize money would be transferred. Whatever the style, the outcome of the 
enterprise is usually that the victim’s bank account is cleaned out instead. The 

author himself has received (through a personal electronic mail account) several 
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of these electronic mails in the course of the past year alone, so the crooks are 
still hard at work in this day. Excerpts from some of these electronic mails are 
included below: 


... all I needed from you is to furnish me with your bank particulars: 

1) Account name 

2) Account number 

3) Bank address, telephone and fax number 

For you to assist me transfer this money in your private bank 
account, the said amount is (Twenty seven Million Dollars) $27 
Million. I am compensating you with 12% of the total money 
amount... 


... the family has asked me to seek for a foreign partner who can 
work with us as to move out the total sum of US$75,000,000.00 
(seventy-five million United States dollars), presently in their 
possession ... 

... I am hereby soliciting your assistance to provide a foreign bank 
account (Personal or company’s) for the lodgment as acclaimed 
beneficiary since the over-invoiced contracts were dully executed 
by some foreign firms also. We have also mutually agreed to 
compensate you with 25% of the total sum ... 

... For due processing and remittance of your prize to a designated 
account of your choice. Be categorically inform that any necessary 
obligation/requirement should be met by individual beneficiary 
towards remittance of your fund to your account... 


Another form of deception in cyberspace involves social engineering, 
“getting people to do things they wouldn’t ordinarily do for a stranger” [Mitnick, 
2002]. Using a variety of techniques that prey on human goodwill, trust, 
helpfulness, gratitude, and gullibility, highly secure computer systems and 
networks can be compromised by attacking the weakest point, the human users. 
By pretending to be a new system administrator, technician or security 
consultant, social engineers can trick the victims into revealing passwords or 
remote-access numbers to enable them to break into computer systems. A 
further development in social engineering is the use of online translators and 
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relay telephony services that allow social engineers to exploit and overcome 
language barriers [Ollmann, 2003]. Relay telephony services are online services 
provided by telecommunications companies to help persons with hearing or 
speech disabilities through the use of an intermediary. This means that social 
engineer can conduct an anonymous attack on a victim who speaks a language 
that is unfamiliar to the social engineer without providing as many direct clues as 
to their deceptiveness. 

Even in more mundane environments, the use of deception has also been 
an ongoing occurrence in information systems where multi-level security requires 
cover stories against unauthorized users, or in electronic commerce where some 
form of deception is employed in software agents that are used in price 
bargaining [de Rosis et al, 2004]. Other attack techniques that use deception 
include spoofing and masquerading, covert channel exploitation, false updates, 
man-in-the-middle attacks and software Trojan Horses. A software Trojan Horse 
is an “information warfare tool that is used to gain access to an information 
resource” [Denningl, 1999]. Examples of Trojan horses include logic bombs, 
additional instructions in memory and operating system modifications [Coheni, 
1998]. 

One interesting aspect in the use of cyber deception is whether computers 
can be deceived. Fooling a computer user is easy as the examples above have 
shown. The computer users are merely proving Whaley’s theory of perception 
[Whaley, 1982] that deception must take place in the mind of the person 
deceived. This same theory is challenged, however, when we consider whether a 
computer used in an attack, such as one based on an automated script, can be 
deceived since it does not have a “mind” that can be fooled. As it turns out, 
automated scripts are programmed with certain expected outcomes and these 
can be “tripped” when they encounter a surprise, or specifically, a deception. 
However, the question of whether more sophisticated attack software can be 
deceived by complex defensive deceptions is an open one. The answer may well 
be found amidst the ongoing competition between virus writers and anti-virus 
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software vendors, or between hackers and intrusion detection systems, where 
the opposing parties are constantly trying to outdo and outsmart each other. 

B. THEORY OF CYBER DECEPTION 

1. A Taxonomy of Cyber Deception 

Others have sought to provide different perspectives based on context 
and other models. The taxonomy proposed by Dunnigan and Nofi [Dunnigan & 
Nofi, 1995] lends itself particularly well to understanding deception in 
cyberspace, as suggested by [Cohen2, 1998] and [Rowe & Rothstein, 2003]. 
Deceptions in cyberspace and cyber deception are used interchangeably here, 
and refer to the use of deception techniques in cyberspace, computers and 
computer systems. It should also be noted that this taxonomy is by no means 
definitive, but is meant to be illustrative. 

a. Concealment 

Concealment is hiding using natural means such as terrain and 
vegetation. Concealment is regarded as one of the oldest forms of deception and 
is still actively used in the animal kingdom. Cyberspace offers many options for 
hiding. A hacker can conceal malicious files or software in some obscure 
directory or in normal code within the target system, which are part of the 
system’s “natural” environment. The newer versions of the Windows operating 
system use the NTFS file system which supports both a normal file stream as 
well as an alternate data stream. In Windows Explorer, the normal stream 
provides the expected contents of a file, while the alternate data stream enables 
an arbitrarily large amount of data to be hidden behind the normal file. This 
means that a hacker can hide files or programs behind other files in the target 
computer without the knowledge of the legitimate users [Skoudis, 2002]. 
Technology also allows for information hiding through techniques such as 
steganography where the very existence of the information being hidden is 
concealed. One example involves hiding messages within the noise of a digital 
image, in which some of the bits making up the image are used to encode a 
secret message without significantly altering the image [Denningl, 1999]. Those 
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who are aware of the existence of the message can proceed to decode it, and 
those who do not, remain ignorant. 

b. Camouflage 

Camouflage involves hiding with the use of artificial means, such as 
the use of cut branches and plucked leaves on oneself to better blend in with a 
forest. The proverbial wolf in sheep’s clothing is another example of camouflage. 
In information systems, malicious software such as a logic bomb could be 
camouflaged by an innocuous filename. An example was demonstrated by 
[Anderson, 2002] in which a few lines of code were able to create a significant 
vulnerability in the target system, camouflaged as a corrupted packet within a 
Network File Server. Since corrupted packets are a common occurrence in 
networks, it was near impossible for intrusion detection systems or firewalls to 
single out the malicious one. Another form of camouflage is the use of “Easter 
eggs”, in which “amusing tidbits” are hidden by creators in their products. The 
Web site www.eeggs.com is an archive of various Easter eggs, of which one of 
the more well-known ones is the flight simulator hidden within Microsoft Excel 97. 

c. False and Planted Information 

This refers to the feeding or planting of information that would 
cause the enemy to respond or react in a manner contrary to his own good. For 
such a technique to be effective, it is necessary to understand the behavior of the 
target and the ongoing context in which the deception is to be carried out. False 
information planted in computer systems could potentially divert or confuse 
attackers. For example, false instructions could be planted in hacker discussion 
forums or bulletin boards that describe how certain flaws could be exploited 
[Rowe & Rothstein, 2003]. However, such actions are probably not very 
beneficial for a cyber defense system since the hackers may not take the bait. 
Those who do may quickly find that the instructions are inaccurate and not 
pursue the attack. The detection of false information in computer systems is not 
necessarily difficult; a knowledgeable hacker is likely to recognize a honeypot. 
This technique is also difficult to execute because one can never be sure if the 
enemy sees the information at all as well as falling for it. 


43 



The Internet can be used to spread disinformation, rumors and 
false reports. A constant campaign of disinformation reinforced with images of 
Osama bin Laden manipulated to look healthy and happy could seriously 
undermine the global anti-terrorist efforts [Thomas, 2003]. 

d. Ruse 

This is the use of tricks to make the enemy think that you are 
friendly when in fact you are not, such as using enemy equipment or wearing 
enemy uniforms. Network site (IP) spoofing is a common ruse to make the target 
network accept the attacker as friendly. With this, the attacker can convincingly 
forge certain kinds of electronic mail. For instance, the W32.Mimail.C@mm is a 
mass-mailing worm for denial-of-service attacks against hard-coded sites. It is 
distributed as a .zip archive which may include a file named photos.jpg.exe, 
giving the impression that double-clicking the file would open photos [Symantec, 
2003]. Ruses are not very useful as a defensive technique, partly because it 
invites legal complications, and partly because it is difficult to pretend to be a 
hacker. 

e. Display 

A display attempts to make the enemy think that something is there 
when there is none. An old example is the tying of branches to horses and 
making them run around to create the impression of a large cavalry force on the 
move. Another is the use of dummy missiles and fake artillery pieces in the 1991 
Gulf War. In an attack on an information system, the attacker is apprised of the 
effects of his actions by the system responses. If a known virus is planted, then 
the deception could simulate the effects of the virus and lead the attacker to 
believe that his attack has been successful. The virus would then be removed 
without the knowledge of the attacker. If the attacker attempted a denial-of- 
service attack, the system could respond with a slowdown to simulate the 
success of the attack. 

f. Demonstration 

This refers to maneuvering one’s forces with no intention of 
following through to distract or confuse the enemy. Sometimes demonstrations 
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are also conducted to desensitize the target to lull them into a false sense of 
security or complacency. Prior to the surprise Yom Kippur attack in 1973, the 
Egyptians moved their troops to conduct exercises near the border, and in the 
final exercise crossed the border into Israel [Dunnigan & Nofi, 1995]. 
Demonstrations in information systems may be counter-productive for the 
defender since a show of “strength” may invite rather than deter attackers. When 
Microsoft released their XP version of the Windows operating system as their 
“safest ever”, hackers got to work on it almost immediately and soon found many 
flaws to exploit [Dunnigan, 2002]. A demonstration could work well in a honeypot, 
where attackers would unwittingly test their skills for the benefit of the honeypot’s 
data collection. 

g. Feints 

Feints are an extension of a demonstration in that an attack is 
followed through. In so doing, the attacker distracts the enemy from the real main 
attack that is underway elsewhere. The classic example is the Allied invasion of 
Normandy in 1944, in which the Germans had been successfully misled to 
believe that the main attack would take place elsewhere. By the time the 
Germans discovered the truth, the Allies had already gained a strategic foothold 
on the French coast. In the cyber world, defensive feints may be carried out by 
blocking attacks on certain network ports with warning messages while allowing 
them on others where the effects of a successful attack may be simulated [Rowe 
& Rothstein, 2003]. 

h. Lies 

Lies involve using media, messages or radio communications to 
falsely make pronouncements or answer enemy questions. Internet surfers may 
be greeted with annoying pop-up windows where a seemingly convenient link 
with the message “click here to close window” or spam mail with “click here to 
unsubscribe” actually connects them to sites where they are vulnerable to further 
attacks. The W32.Swen.A@mm worm and many of its variants send fake 
electronic mail messages that appear to have originated from Microsoft 
[Symantec, 2003]. 
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/. Insight 

Insight involves outthinking and outsmarting the enemy by seeing 
through his tactics and exposing his intent. Cyberwarfare is no different from 
conventional warfare in that the attackers and defenders can try to outsmart the 
opponent. Attacks typically include vulnerability scans, gaining access and 
administrator privileges, downloading malicious software and so on. It is possible 
to anticipate some of the attackers’ moves through the use of a counterplan for 
deception [Rowe 2003], thereby creating an additional defensive layer against 
the attacker. Similarly, [Cohen2, 1998] used insight into the attackers’ operations 
in his Deception Toolkit. 

2. Semantic Cases 

[Rowe, 2004] has developed a more comprehensive taxonomy of 
deception based on the theory of semantic cases. It is based on the claim that 
“deception operates on an action to change its perceived associated case 
values,” and gives rise to many different methods of deception derived from a 
combination of cases. Out of the possible 30 cases, Rowe found that only 19 
were amenable to application in information systems. Table 2 below lists the 19 
cases and how they may apply in information systems. 
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Class 

Case 

Extension 

Examples in Information Systems 

Essence 

Supertype 

Generalization of 
the action type 

Installing software with no purpose 
except to crash a computer 

Whole 

Of which the action 
is a part 

Changing the system-administrator 
password temporarily as part of an 
attack plan to steal secrets 

Participant 

Agent 

Who initiates the 
action 

Attacker pretends to be the system 
administrator 

Object 

What the action is 
done to 

Storing fake information on a computer 
system that you hope an attacker will 
steal 

Instrument 

Something that 
helps accomplish 
the action 

Putting spyware in a Web browser 

Space 

Direction 

Of the action 

Sending damaging cookies back to an 
attacker of a Web site 

Location-from 


Spoofing of Internet IP address or Web 
pages 

Location-to 


Attacks on unexpected sites or ports, 
like those of seemingly little value 

Location-through 


Attacks through supposedly secure 
intermediate sites 

Time 

Frequency 

Of occurrence 

Denial of service created by 
overwhelming resources with 
transactions 

Time-at 


False times for log file records 

Time-through 


Deliberately delaying response to an 
attacker 

Causality 

Cause 


Lying to an attacker about the network 
connection being down as the reason 
they cannot download something 

Effect 


Lying to an attacker that a suspicious 
file has been downloaded 

Purpose 


Software asking an attacker for their 
password to check whether it is good 

Quality 

Accompaniment 

Additional object 

A utility that contains a virus 

Content 

Action object type 

A file with an image-file extension that is 
actually an executable 

Measure 

Quantity 

Deliberately downloading a too-large file 
to create denial of service 

Value 

transmitted 

Deliberately capitalizing each command 
sent to a case-sensitive operating 
system 


Table 2. A Selected List of Semantic Cases as Applied to Information Systems 

(After [Rowe, 2004]). 
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C. CYBER DECEPTION AND CYBER DEFENSE 

Cyber deception is not employed for cyber attacks alone. Various groups 
of computer scientists and software engineers have developed cyber deception 
applications with a defensive slant. Some, like honeypots, are passive in nature 
and have a specific but limited purpose, while others like intelligent software 
decoys reinforce computer defense against cyber attacks. 

1. Software Decoys 

[Michael & Riehle, 2001] introduced intelligent software decoys to cover a 
“spectrum of deceptive defensive activity” in computers and networks. The goal 
of the software decoys is to provide additional layers of defense called software 
wrappers that divert the attention and resources of the attacker while giving the 
impression that the attack is succeeding. In so doing, the damage done to the 
target system is limited, while information on the attacker is being gathered at the 
same time. 

The need for software decoys comes from the perceived ineffectiveness of 
existing protection methods. These include intrusion-detection systems (both 
anomaly and misuse detection), firewalls, and “patch-and-pray” methods [Rowe 
et al, 2002; Michael et al, 2002]. The problem is made worse by impending 
centralization of military information systems (“network-centric warfare”) 
reinforcing the call for protection against cyber warfare [Michael, 2002]. Software 
decoys can be regarded as a viable second line of defense given the numerous 
vulnerabilities of COTS software and operating systems that are used by many 
military organizations. 

Intelligent software decoys adapt to an intrusion instead of blocking it 
outright. Adapting refers to the ability to tolerate violations of the software 
contract which occurs when the “obligations and benefits between the 
component and the calling process or thread” are infringed [Michael, 2002]. At 
the same time, the intrusion is studied and diverted to an “antechamber” [Michael 
& Riehle, 2001] which may well reside on a different platform so as to limit the 
damage that could be inflicted by the attacker. Within this antechamber. 
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deception methods are applied to delay or distract the attacker, as shown by the 
examples in Table 2. 



Figure 2. Software Decoy Architecture (From [Michael et al, 2002]) 

The software decoy architecture in Figure 2 shows the use of wrappers to 
protect software components against attack. The wrappers reside within the 
operating system and are supervised by predetermined rules that specify 
behavior patterns and decoy actions. 

In a related development, [Rowe, 2004] suggested “generic excuses” that 
are based on his theory of deception from semantic cases. By making use of the 
human ability to derive patterns from what they observe or experience, the 
process of bundling together a series of deception ploys builds a hypothesis in 
the attacker’s mind. As a result, these generic excuses that are created from the 
bundle of deception ploys provide a potentially more convincing deception 
against attackers. 
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2. Other Related Work 

The Deception ToolKit [Cohen2, 1998] was developed to “increase 
attacker workload while reducing defender workloads.” It conveys an impression 
of the defenses of a computer system that are different from what they really are 
by creating phony vulnerabilities. The Deception ToolKit is effective against 
automated attack tools that scan for known vulnerabilities by reporting a large 
number of them, each with insufficient information to confirm them to be real or 
otherwise. This wastes the attacker’s resources in having to test each one of 
them. In the meantime, each attack against the deceptive vulnerabilities is 
monitored. The Deception ToolKit raises two pertinent issues on deception. 
Firstly, it is difficult to create good deceptions to meet complex requirements, but 
simple deceptions that meet simple requirements are still useful as they can fool 
all but the most sophisticated attackers. Secondly, each failed attack against the 
deceptive vulnerabilities mentioned is immediately detected by the defender, 
giving the attacker little time to react and mount a successful attack thereafter. 
Given these, [Cohen2, 1998] concludes that there is indeed a very good case for 
using deception in cyber defense. 

Honeypots [HoneyNet, 2002] were conceived to lure attackers to study 
their attack methods, patterns and techniques. A honeypot is a network of 
systems that is intended to be compromised by attackers to reveal their behavior 
during an attack. When the use of honeypots was revealed to the larger Internet 
community, hackers became more careful to look harder to see if the site they 
were attacking was in fact a honeypot. Some non-honeypot servers were also 
given honeypot-like features to deter those hackers who were familiar with such 
features [Dunnigan, 2002]. 

Recent work in the theory of cyber deception involves the use of deceptive 
agents in formalizing the decision to deceive [de Rosis et al, 2004]. The decision 
to deceive is part of a deception plan model that takes into account the 
dispositions, inclinations and mental states of the sender and receiver of the 
deception messages. This model explores the ability to deceive without having to 

lie, for example by conveying uninfluential truths to confuse the receiver, or by 
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exploiting the receiver’s inherent distrust. The authors claim that the advantage 
of such “falsely sincere” deceptions are reduced risks and consequences of 
detection. Another aspect of the deception plan is the evaluation of the validity of 
a deception strategy to select the optimal deception instrument. The evaluation 
takes into consideration the impact, plausibility and credibility of the deception 
object, as well as its safety and computational costs. A final component in the 
evaluation is what the authors call the “horizon effect” which states that a good 
strategy is one that opens up good strategies in the future, as opposed to a 
strategy that is good now but turns bad later on. All the above are synthesized 
into a formal deception strategy and applied to a probability-based simulation 
experiment, in which the criteria applied by the system are evaluated against 
those applied by human subjects. However, there are risks associated with 
performing such experiments with human subjects, as their ability to deceive or 
be deceived varies with their backgrounds. There is also the issue of the 
“availability effect” in which people tend to assess the value of uncertainties 
heuristically to size the situation better, and this sometimes leads to systematic 
errors. 

D. PITFALLS OF CYBER DECEPTION 

As with conventional deception, there are cyber traps that can backfire, or 
forms of cyber deception that are inherently riskier than others. The use of cyber 
deception could irritate genuine users who have legitimate rights to the system, 
only to find that the attempt to gain access to a certain directory within the 
system has led them down a different, unexpected path. Imagine the annoyance 
if a user had spent time and effort working on a document and tried to save it in a 
particular directory, only to find that it has gone missing because the directory 
was a deceptive one [Rowe & Rothstein, 2003]. 

When cyber deception is employed against hackers, the effects could vary 
depending on the nature of the attack. An amateur or script kiddie may be put off 
by the lack of success and move on to another system, in which case the 
defense was successful. If the deception was detected, they could be provoked 
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and see it as a challenge. That would lead them to try harder using alternative 
methods to defeat the defenses. In addition to the risk of being detection, [de 
Rosis et al, 2004] also considers the severity of the consequence of the 
detection, and both risk and consequence are grouped together as a “safety” 
factor in their calculations. A professional hacker who is targeting a particular 
system may not be deterred and may simply be angered by the discovery of 
having been fooled by the deception. A terrorist may revert to conventional 
means of physical attack if cyber attacks are unsuccessful. The use of cyber 
deception may also introduce unintended consequences. When deception was 
employed to counter computer network scanners, it also worked against genuine 
users. The same technology used to keep out unwanted scanners was also 
successful against bona fide workers who were scanning their systems for 
vulnerabilities [Cohen2, 2001]. 

E. CYBERTERRORISTS AND CYBER DECEPTION 

1. Attack Tools 

As many of the offensive operations that a cyberterrorist would carry out 
involve attacking information systems, we can expect that many of the attack 
tools employed by the cyberterrorist will be the same as those used by cyber 
activists, hackers, and cyber criminals. 

[CohenS, 1998] postulated that the three main aspects of information 
technology exploited by cyberterrorists are anonymity, cryptography, and the 
widespread release of attack tools. Anonymity enables the cyberterrorists to 
carry out their tasks without fear of reprisals, since true anonymity means that 
their identity cannot be traced and exposed. Cryptography reinforces anonymity 
but also provides cyberterrorists with security and confidentiality of their 
communications from law enforcement agencies. Since the release of high- 
quality cryptography such as Pretty Good Privacy (PGP) to the public, 
cryptography has been a double-edged sword as it can serve both good and evil 
purposes; [Denning, 1995] mentioned a report by the FBI on the use of 
encryption by terrorists who were plotting to assassinate Pope John Paul II 
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during his visit to the Philippines. The third issue, the release of attack tools over 
the Internet, may actually enhance security by providing useful information about 
attacks to law enforcement as well as providing tools to defenders for searching 
their own systems for vulnerabilities [Dunnigan, 2002], The flip side of the coin, 
as argued by Cohen, is that with so much information and data available, military 
intelligence or law-enforcement agencies will have a much harder time trying to 
sift through the noise to expose the real cyberterrorist attacks. 

Other cyber attack tools provide the means for attackers to achieve their 
goals in cyberspace. There are roughly four categories, namely reconnaissance, 
scanning, gaining access and maintaining access. Table 3 below provides a brief 
description and some generic examples. 


Attack Step 

Description 

Examples 

Reconnaissance 

Obtaining information on the target by 
researching the Web, newsgroups, 
open source media or actively seeking 
the information through unscrupulous 
means. 

- Desk checking 

- Social engineering 

- Dumpster diving 

- Physical break-ins 

Scanning 

Searching for vulnerable servers or 
personal computers that are 
connected to the Internet. 

- Network mapping 

- Port scanning 

- Vulnerability scanning 

Gaining Access 

Obtaining entry to a vulnerable 
computer by exploiting weakness or 
flaws in its operating system, or 
through the use of access controls 
that were fraudulently retrieved. 

- Stack-based buffer 
overflow attacks 

- Password attacks 

- Password cracking tools 

- Sniffing 

- IP address spoofing 

- Session hijacking 

Maintaining 

Access 

Taking steps to avoid being 
discovered or planting malicious 
software so as to be able to regain 
access to the target system 

- Covering tracks 

- Backdoors and Trojan 
Horses 

- Keystroke loggers 

- Rootkits 


Table 3. Cyberterrorism Techniques (After [Denningl, 1999; Dunnigan, 2002; Fox 

et al, 2002]). 


Using the attack steps in Table 3 and Cohen’s list of attack mechanisms 

[Cohen 1, 1998], we find that most of the software-based attack mechanisms 
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apply to gaining and maintaining access. As such, we will concentrate on these 
two steps. These are listed in Table 4. 


Target 

Attack Technique 

Desired Effect 

Difficulty 


Denial-of-service 

System non-availability 

Easy 


Rootkit installation 

Control of system 

Moderate 


Sabotage 

System manipulation / 
destruction 

Easy 


Trojan Horse 

Control of system / 
system destruction 

Moderate 

Information 

Buffer overflow attack 

Control of system 

Moderate 

Systems 

Spoofing 

Control of system 

Moderate 


Password theft / attack 

Control of system 

Easy 


Virus / worm 

System non-availability 
/ destruction 

Easy 


Data diddling 

System non-availability 
/ manipulation 

Moderate 


Subversion 

Control of system 

Hard 


Denial-of-service 

Site non-availability 

Easy 


Defacement 

Hacktivism 

Easy 

Web sites 

Terror 


Virus / worm 

Site non-availability / 
destruction 

Moderate 


Denial-of-service 

Service non-availability 

Easy 

Electronic 

Mail 

Rumor spreading 

Propaganda 

Easy 

Deception 


Virus / worm 

Service non-availability 
/ destruction 

Moderate 

General 

public 

Extortion (e.g. by 
publishing on Web site 
names of police 
officers targeted for 
attack) 

Fear 

Moderate 


able 4. Cyberterrorism Attack Tools (After [Coheni, 1998; Denningl, 1999]). 


We find that in most instances, carrying out the attacks is not hard. The 
main reason for this is that there is a plethora of existing attack tools which can 
be easily downloaded from the Internet, and the list is increasing every day. The 
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findings from the 1997 no-notice exercise ELIGIBLE RECEIVER stated that there 
were some 1900 Web sites from which hacking tools were publicly available. 
There could be many more today. The ease of attack applies not only to target 
Web sites and electronic mail, but also to information systems such as electronic 
commerce or database systems. Moreover, it should be mentioned that the 
reconnaissance and scanning steps are also relatively easy to carry out. In 
particular, there are also many automated tools widely available on the Internet 
for scanning. On the whole, we find that the apparent ease with which a 
cyberterrorist may attack suggests that it is a question of the will of 
cyberterrorists, and not the feasibility, that prevents them from actually attacking. 

2. Terrorists, Cyberterrorists, and Deception 

[CohenS, 1998] postulates that terrorist tactics are deceptive in nature 
because the sense of fear that they create is larger than the danger they actually 
pose. To use Whaley’s terminology, terrorism is mimicking a threat that is grossly 
exaggerated, while masking the terrorists’ true capabilities in imposing a danger 
to warrant that level of threat. In cyberspace, a similar level of fear could be 
generated if an act of cyberterrorism like those mentioned previously occurs. For 
one, it could be unprecedented, and this alone would generate a significant 
amount of publicity. The media could quickly become a proxy tool of the 
cyberterrorists as different publications vie to postulate the vulnerabilities of 
information systems to cyberterrorists, the failure of government to prevent such 
an event, and the likely occurrence of copycat acts. A September 2003 
Washington Post article cited a Pew study in which nearly half of the 1000 
Americans surveyed feared that the next terrorist attack would involve a cyber 
component [McCarthy, 2003]. Given our heavy reliance on information 
technology, a solitary act by one cyberterrorist group could have political and 
psychological ramifications beyond the actual act. However, until we see such an 
event, many are still swayed by the arguments of the “cry wolf and “realist” 
camps, and will continue to regard cyber attacks as a costly nuisance. 

[Higginbotham, 2001] explored several ways in which terrorists may 
themselves be deceived. First, many of these organizations have a patriarchal 
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structure with followers of fanatical and unquestioning loyalty. This combination 
suggests that targeting the terrorist leadership alone could have a significant 
effect on the entire organization. Second, to operate effectively, terrorists need 
accurate intelligence. In addition to the traditional sources of intelligence such as 
the media, terrorists are increasingly reliant on the Internet and information 
technology to meet their intelligence requirements [CohenS, 1998]. These create 
new channels through which they can also be deceived. Third, terrorists 
constantly strive to balance between operational efficiency and security. High 
levels of security drastically impede their ability to carry out operations. 
Conversely, being able to conduct their operations efficiently usually comes at a 
cost to security and secrecy. Deception operations could be targeted at the 
terrorist organizations’ confidence in their own security to affect their operational 
efficiency. 

The future of terrorism sees in part a trend towards human networks, with 
loose organizations working in small groups and held together by a common 
purpose. Their command-and-control is dispersed but they are connected via the 
Internet and other communications technologies. One implication of network 
organizations is that there is no single center of gravity which if targeted would 
disable the entire terrorist group. Another implication is their ability to operate 
across national boundaries, making it difficult for any one country to effectively 
deal with them. However, their dispersion also creates weaknesses, since the 
constant need for communications and coordination in the network exposes them 
to vulnerabilities of interception and eavesdropping. If they use electronic mail, 
which they likely are, they are also exposed to tracing, surveillance and cyber 
attacks [Higginbotham, 2001; Arquilla & Ronfeldt, 2001]. 

How such networked organizations may benefit cyberterrorist groups 
remains to be seen. One may argue that it is the technology-savvy groups that 
have brought about such a revolution to the structure of terrorist organizations in 
the first place. Given their track record and credentials for violence, these may be 
the groups that are most likely to build a cyberterrorism capability that they are 

prepared to use. Conversely, cyberterrorism requires a high level of expertise. 
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For a cyberterrorist group to operate effectively, it will likely need to centralize its 
computer experts and equipment. Some organizations may incorporate both 
features, with a networked structure to support the “traditional” terrorist activities, 
and a cyberterrorist wing where cyber attack capabilities are developed and 
implemented. Such a dual structure is difficult to deceive. The weaknesses of the 
networked structure are not present in a centralized cyberterrorist wing; yet the 
cyberterrorist wing cannot be influenced by targeting its leadership because the 
terrorist leader is apart from the wing itself. 

Combining these factors with the actors elaborated in Chapter II, we can 
explore the possibilities for deception. Table 5 on the next page shows the four 
ways in which terrorists may be deceived in a matrix against the six categories of 
cyberterrorists (expanded from the four in Chapter II for greater granularity). The 
possible outcomes have been shaded for clarity. 
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^^^Deception 

^^^Target 

Actors 

Leadership 

Cyberspace 

intelligence 

Security 

confidence 

Communication 

networks 

a. Lone 

cyberterrorists 

Possible: Brains 
and body are one 
and the same 

Possible: The 
Internet is likely a 
major source of 
intelligence 

Difficult: They do 
not need to trust 
others 

Difficult: No need 
for 

communications 

b. Small, 
technologically 
sophisticated 
groups 

Possible: Leader 
has direct control 
of organization 

Possible: The 
Internet is likely a 
major source of 
intelligence 

Difficult: Group 
cohesion 
expected to be 
tight 

Difficult: Being 

small and 

centralized 

reduces 

communication 

requirements 

c. Same as b. 
but as a wing in 
a larger 
organization 

Difficult: Group 
leader different 
from organization 
leader 

Possible: The 
Internet is likely a 
major source of 
intelligence 

Difficult: Group 
cohesion could 
be tight but it is 
not certain 

Difficult: Being 

small and 

centralized 

reduces 

communication 

requirements 

d. Large 
Religious 
fundamentalist 
organizations 

Possible: Leader 
has direct control 
of organization 

Possible: The 
Internet is likely a 
major source of 
intelligence 

Possible: Large 
organizations 
cannot have 
complete control 
over information 
flows 

Possible: Large 
dispersed 
organizations 
need frequent 
communications 
for coordination 

e. Government- 
backed or 
sponsored 
units 

Possible: Group 
leader may be 
known 

Difficult: They 
would have 
ready access to 
other intelligence 
sources 

Difficult: Secrecy 
and security not 
a fear-inducing 
issue 

Possible: Large 
dispersed 
organizations 
need frequent 
communications 
for coordination 

f. Same as e. 
but government 
links are covert 

Difficult: 

Hierarchy of 
leadership not 
easy to 
determine 

Difficult: They 
would have 
ready access to 
other intelligence 
sources 

Difficult: Secrecy 
and security not 
a fear-inducing 
issue 

Difficult: Need for 
additional 
secrecy would 
probably result in 
special 

communications 

means 


Table 5. Deceptions against Cyberterrorists. 


Table 5 suggests that many of the cyberterrorist categories are 
susceptible to deceptions in cyberspace. This is probably due to their heavy 
reliance on it for their medium of operations. The table also suggests that 
government cyberwarfare units could be difficult to deceive, because they are not 
in the same outlaw situation as terrorists. A further conclusion that we can draw 
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from Table 5 as well as from many examples earlier in this chapter is that 
cyberspace offers significant opportunities for deceiving cyberterrorists. It 
remains to be shown that cyber deception is a viable defense against the attacks 
of cyberterrorists. 

[Rowe and Rothstein, 2003] concluded that only lies, displays and insights 
from Dunnigan and Nofi’s taxonomy of deception [Dunnigan & Nofi, 1995] were 
suitable as tools for defensive deception. Combining these with Rowe’s generic 
excuses [Rowe, 2004] and the attack stages (Table 3), we can explore the 
viability of cyber deception against the different stages of a cyber attack. These 
are elaborated in Table 6 below. The viable outcomes are shaded for clarity. 


Deception 

Target 

Attack 

Stages 

Generic Excuses / Lies 

(e.g. false error 
messages) 

Dispiays 

(e.g. simulating attack 
effects) 

insight 

(e.g. deception 
counterplan) 

Reconnaissance 

Web searches could 
be turned away 

Not applicable, 
since there is no 
attack 

Difficult to tell 
between legitimate 
network monitoring 
and others 

Scanning 

Automated scanners 
may be fooled 

Not applicable, 
since there is no 
attack 

Difficult to tell 
intention of scanner 

Gaining Access 

Attacker could be 
frustrated and try other 
approaches 

Attacker could be 
fooled by apparent 
success 

Attacker could be 
exposed and 
diverted to 
antechamber 

Maintaining 

Access 

Attacker could be 
frustrated and give up 

Attacker assumes 
he is successful 

Attacker assumes 
he is successful 


Table 6. Cyber Deceptions and Cyber Attacks 


We see that cyber deceptions have limited success in trying to thwart 
reconnaissance and scanning efforts. In any case, we should not be trying to 
deceive every attempt to reconnoiter or scan our systems as we are still unsure 
of their intentions. However, our intrusion-detection systems should now be on 
the alert and ever watchful of attempts to move to the next step. By attempting to 
gain unauthorized access, we would have ascertained that an attack is taking 
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place and this is where cyber deception can be effective. Although Table 6 only 
deals with generic examples, it is clear that cyber deception can be an effective 
second line of defense [Michael & Riehle, 2001; Rowe et al, 2002] when the 
attacker is attempting to gain access, or has already done so. 
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V. CONCLUSION 


While there have been many studies in the separate areas of terrorism, 
cyberterrorism, deception and cyber warfare, it is hoped that by putting them 
together we can establish the significance of the cyberterrorism threat. We have 
verified firstly that cyberterrorists are likely to have similar motivations with 
terrorists in desiring violence and destruction to meet their political or other 
causes. While there have been no clear acts of cyberterrorism to date, this could 
be the result of lack of motivation or ability to carry out the attacks in cyberspace 
and not the feasibility. However, this situation is not expected to remain as is, 
given the advantages offered by cyberterrorism against forces and societies that 
rely heavily on information technology. Moreover, many terrorist and state 
sponsored groups are seeing the asymmetrical benefits of information warfare as 
a means of redressing the conventional military imbalance of the U.S. vis-a-vis 
the rest of the world. 

Secondly, we see that deception has been commonplace in nature and in 
human history, and it has quickly pervaded cyberspace as an offensive tool. 
Unfortunately, many of the existing uses of cyber deception have tended to be for 
unethical or immoral purposes. If employed innovatively and skillfully, cyber 
deception could become an essential component of defense mechanisms in 
future. Many such deception ideas have been proposed. 

Thirdly, if it is possible to deceive terrorists, then it should also be possible 
to deceive cyberterrorists. The reliance of cyberterrorists on information 
technology makes them vulnerable to cyber deceptions. In addition, many of the 
methods and tools that cyberterrorists would use are similar to those used by 
other less malicious hackers, so we can plan specific deceptions to use against 
them in advance. 

Finally, the lack of actual examples of cyberterrorism (although a blessing) 
makes it hard to pinpoint specific methods, tools or desired outcomes for policy 
recommendations. There is much literature available on the methods. 
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motivations and psychology of terrorists, but little is available in comparison for 
cyberterrorists. What is available tends to be confined to arguments on the 
nature of the threat, rather than the threat itself. Thus more work will need to be 
done on studying the vulnerability of critical information systems, their potential 
exposure to cyberterrorists and the damage they could do if they gained access. 
Finally, just like updating an anti-virus software against new strains of viruses, 
cyber deception methods that are being developed need to be constantly 
updated to remain relevant in their ability to deceive a cyberterrorist attack. 
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